Act at the moment of impact

Gaining Credibility With IT Teams Via Pen Testing

November 07, 2012

Today's Whiteboard Wednesday features Patrick Vitalone and John Greene, who will be talking about how you can gain credibility with IT teams by pen testing for risk validation.

Often times, security teams send over a very long list of vulnerabilities to their IT teams and expect them to be remediated when, in fact, most of those vulnerabilities do not pose any risks to you at all. By using a penetration testing tool to validate your risks, you are able to see what vulnerabilities actually pose a threat to your company. This allows your IT team to focus on what really matters.

Video Transcript

Patrick: And we're here to talk about for this Whiteboard Wednesday, gaining credibility with your IT team via a pen test. Now, what that means is, oftentimes you might bring a long list of vulnerabilities to your IT team, and they're doing work that might not need to be done. What a pen test is going to do is shorten the list and show what actually needs to be remediated based on its level of risk.

John: Yeah, I know it's sort of ironic, us being sales guys with pretty limited IT experience to be up here speaking about credibility in an IT organization. Generally speaking, until maybe they get to do a deal with us, people don't find us to be the most credible people because we're chasing the number, right? Well, in this case, I like to just take it right out of the technology aspect of things and just bring it to a real simple analogy. You may share a house with a significant other and like any other relationship in the world, on Sunday you get that list of things you need to do; the laundry, you have to wash the car, you got to go grocery shopping, you've got to vacuum the rug. Inevitably, sometimes that list has things that you've already done. So, by pen testing, you are essentially making sure that you don't vacuum that rug twice, needlessly wasting time, when you could be playing the newest version of Halo or watching football on Sunday.

Patrick: Just as a note, I don't play video games. So what John's saying is this pen test is going to do three things, essentially. The first, knock out the false positives. You don't want your IT guys remediating something that doesn't come up as an actual vulnerability, thus damaging your credibility.

John: It's also going to identify if there are any compensating controls in place that could protect an exploitable device, for instance, a firewall rule or an IDS-IPS in place that would make the remediation process useless because it's already taken care of.

Patrick: Yeah, and finally, despite the fact that some of these vulnerabilities may be real, they might not actually lead to risk. What a pen test is going to do, is actually attack those vulnerabilities to see if a hacker were to exploit them, does it do any damage? How risky is it? That's the third way a pen test will save your credibility.

John: Let's face it, by giving someone results like a screen image that's been captured or popping a box on a network that someone may have said, "You wouldn't be able to get access to from if you were a real-world hacker." It's essentially like showing your girlfriend that doesn't believe that you swept the rug, that you did, in fact, sweep, or vacuum, or do the dishes or whatever it is that she's currently nagging about.

Patrick: Essentially, a pen test will save your credibility and stop your IT team from sweeping a clean floor.